fix(repair): restrict unserialize() in RemoveBrokenProperties

[elicpeter]

• Resolves: #

Summary

RemoveBrokenProperties::run() calls unserialize() on the propertyvalue column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute.

The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked.

No behavior change for valid or broken rows.

Found while testing an in-development static analysis tool I'm building against open-source PHP codebases.

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI

[Altahrim]

Looks good, thank you!

[Copilot]

Pull request overview

Hardens the DAV properties repair step by preventing PHP object instantiation during unserialize() when scanning properties.propertyvalue for broken serialized payloads.

Changes:

• Updates RemoveBrokenProperties::run() to call unserialize(..., ['allowed_classes' => false]) when checking whether propertyvalue is broken.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

[welcome]

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

[kesselb]

/backport to stable34